Complex software systems are typically designed, developed, debugged, deployed, maintained and updated by a group of individuals, such as developers and/or administrators (referred to collectively herein as “users”), employed by a software manufacturing entity. Each user may have a particular role, or multiple roles, in the process, such as writing software updates, testing software, deploying the software in a production environment, upgrading the software in the production environment, and the like. The computing resources on which particular functions are performed may be different. Even the ownership of the computing resources on which the functions are performed may differ.
Establishing security in such an environment can be complex, and can be a bottleneck to efficiency, but is increasingly important in view of the potential damage a hacker can intentionally cause, as well as in view of the disruption even a legitimate user can inadvertently cause. Security can be implemented at many different levels, such as creating security definitions that define which users are permitted to perform which actions on which computing resources, and which users are permitted to modify such security definitions. Moreover, each computing resource may have its own security authentication requirements, which, for example, may require that authentication data, sometimes referred to as credentials, such as user identifiers and passwords, be provided before allowing commands to be performed on the computing resource. Credentials have their own security issues, because the authentication data must be provided to the users that need to perform actions against the computing resources, yet, it is desirable that such information be tightly controlled and restricted to ensure that unauthorized access to a computing resource is prevented. If such users leave the software manufacturing entity, all such authentication data must be changed, to ensure that the ex-employee no longer has access to the computing resources. Implementing new authentication data may be onerous and time-consuming, and may involve removing the old authentication data from each computing resource, implementing the new authentication data on each computing resource, and then providing the new authentication data to appropriate users who need access to the computing resources in order to perform the functions for which they are responsible. Due to the onerous nature of changing authentication data, sometimes it is not done immediately, leaving the ex-employee with access to a computing resource.
Accordingly, there is a need for improved security mechanisms that ease the administration of security in a complex software development environment, while maintaining flexibility and a highly secure environment.